cbcvebase.
CVE-2015-2857
published 2017-08-22

CVE-2015-2857: Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.18%
99.7th percentile
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
accellionfile_transfer_appliance<= 9_11_200

Detection & IOCsextracted from sources · hover to see the quote

url/tws/getStatus
url/seos/find.api
url/seos/put.api
url/seos/mput.api
command';#{payload.encoded};echo '
port443
path/opt/bin/perl /home/seos/system/call_webservice.pl
  • Detect POST requests to /tws/getStatus, /seos/find.api, /seos/put.api, or /seos/mput.api containing shell metacharacters (e.g., single quotes and semicolons) in the oauth_token parameter.
  • Look for POST requests to /tws/getStatus with an oauth_token value matching the pattern ';...;echo ' as the injection payload wrapper.
  • A successful exploitation attempt returns HTTP 200 with JSON body containing '"result_msg":"Success","transaction_id":"'; alert on this response to a request with a malformed/injected oauth_token.
  • A probe/check request sends oauth_token=invalid and expects '"result_msg":"MD5 token is invalid"'; subsequent injection attempt with metacharacters returning Success indicates a vulnerable host.
  • Monitor execution of /opt/bin/perl /home/seos/system/call_webservice.pl with unexpected arguments or child processes, which indicates successful exploitation of the oauth_token injection.
  • ·The exploit targets port 443 with SSL enabled by default; detection rules should account for HTTPS traffic and may require SSL inspection to inspect the oauth_token POST parameter.
  • ·The vulnerability was confirmed on FTA_9_11_200 but may affect earlier versions; detection should not be scoped only to that specific version.
  • ·Multiple endpoints are vulnerable beyond /tws/getStatus; detection coverage must include /seos/find.api, /seos/put.api, and /seos/mput.api.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.